AW: AW: AW: [Samba] Migration to Samba using external LDAPserver(CLARIFICATION NEEDED)

Matthew Easton v-vi at
Wed Oct 26 02:11:06 GMT 2005

As Eric Hall points out (and I hope he CC'ed you, as well.) The tools  
he linked to will preserve the userid and permissions.  If userid  
(the number) already maps to the same user (the name) on both  
systems, or if samba's mapping is properly configured, then the  
preserved userid and permissions will refer to the user you wish.   
Unfortunately I don't have a good understanding of all the ways you  
can map a user within samba --- though you may wish to find out about  
the /etc/samba/smbusers file.

But as I said in my earlier post, you can also use samba directives  
and unix modes to force the contents of an enclosing directory to be  
owned by a particular user or group, irrespective of the user who  
copies the files to the directory.  This could be useful, for  
example, if you are concerned that users may no longer own the  
contents of their own home directories after the migration, if the  
mappings are too complicated to set up in advance.

So you create home directories that force any new files to be owned  
by the user.  Then you move their files into the home directories and  
it just works

"set user id" (suid) and "set group id" (sgid) do this on the unix side:

Here, I'll demonstrate how sgid works:
# First I make a directory
[root at server root]# mkdir testdir

# See the default permissions
[root at server root]# ls -ld testdir
drwxr-xr-x    2 root     root         4096 Oct 25 18:19 testdir

# and if I make a file in the directory, these are the permissions
[root at server root]# touch testdir/myfile
[root at server root]# ls -l testdir
total 0
-rw-r--r--    1 root     root            0 Oct 25 18:20 myfile

# I change the group of the enclosing directory
[root at server root]# chgrp smbuser testdir
[root at server root]# ls -ld testdir
drwxr-xr-x    2 root     smbuser      4096 Oct 25 18:20 testdir

# But that has no effect on the group of new files, nor does it  
change old files (have to use chgrp -R for that)
[root at server root]# touch testdir/testfile2
[root at server root]# ls -l testdir
total 0
-rw-r--r--    1 root     root            0 Oct 25 18:20 myfile
-rw-r--r--    1 root     root            0 Oct 25 18:21 testfile2

# Therefor I set the group id (SGID) on the directory
[root at server root]# chmod g+s testdir
[root at server root]# ls -ld testdir
drwxr-sr-x    2 root     smbuser      4096 Oct 25 18:21 testdir

# Now when I make a new file, its group is the same as the directory  
-- even though I am not a member of the group

[root at server root]# touch testdir/testfile3
[root at server root]# ls -l testdir
total 0
-rw-r--r--    1 root     root            0 Oct 25 18:20 myfile
-rw-r--r--    1 root     root            0 Oct 25 18:21 testfile2
-rw-r--r--    1 root     smbuser         0 Oct 25 18:22 testfile3

# a similar command exists that will set the user id of a directory
     chmod u+s $directory

Imagine samba user home directories are in /home/users
You create all your users on the unix side and that creates home  
-- the home directories are owned by the respective users
-- you cd into /home/users and run the following command
         chmod u+s *
-- that makes each home directory set the user id of new files added  
to it to the owner of the directory.

Now if you (as root) copy Joe's files from the old server into his  
new home directory, all the files will owned by the new user joe--  
not by you.  Even if you do it without properly mapping the usernames.

Similarly, if you have a share for the finance group, you can change  
the group of the folder to finance, then do chmod g+s on the folder,  
and now all new files added to it will have the group finance.

To take this farther.  There is a samba directive called, I believe,  
"admin users"

     admin users = @finance

means that all members of the finance group will have full read/write/ 
delete privileges on files in the share called FINANCE_DIRECTORY.

( but don't take my word for it, I'm trying to write this from memory  
--- look up the directives and understand them for your particular  
situation )

On Oct 25, 2005, at 11:50 AM, Pseudomizer wrote:

> Thank you Matthew for this information but you told me what we have  
> already
> in place. So every tool you mentioned like rsync, tar, robocopy,  
> xcopy is
> already in place to copy the files to maintain the permissions.
> The question will be what happens after the copy process? The files  
> are now
> copied to the new destination folder and now I have files there  
> where the
> owner of the file will be the windows user account who copied the  
> file from
> A to B. Assuming that there will be additional entries in the ACLs an
> inherit of the permissions will not help here. The files will have  
> entries
> associated with specific SIDs.
> Will Samba be able to create the mapping to these "old permissions"  
> when one
> of the windows users try to access his files or other files?
> Regards,
> Pseudomizer
> -----Ursprüngliche Nachricht-----
> Von: at
> [ at] Im  
> Auftrag
> von Matthew Easton
> Gesendet: Dienstag, 25. Oktober 2005 03:54
> An: Pseudomizer
> Cc: samba at
> Betreff: Re: AW: AW: [Samba] Migration to Samba using external
> On Oct 24, 2005, at 1:43 PM, Pseudomizer wrote:
>> If we would copy the data with simple xcopy or robocopy using e.g.
>> an admin
>> account from the domain, then the files which will be created have
>> which
>> owner? Will the permissions still remain?
> Other poster mentioned rsync.  That or tar can preserve permissions
> as they are in the original file. You can run them over SSH to
> transfer files to another server.
> Not clear to me from your post whether you will need to run a tool on
> windows to move the data around.  If so, there is at least the
> windows ssh client called putty
> and a win32 port of tar 
> tar.htm
> but I suppose that once you tar up the files, you can simply drag
> them into a share on the new server and untar them with the -p flag.
> Aha.  Now I see you may have some issue mapping the old windows user
> to the new linux user uid. You can instead force user and group by
> manipulating the attributes of the enclosing directory.
>   -- see the earlier thread "[Samba] See inherit user, need inherit
> group"
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:

More information about the samba mailing list